Extortion isn’t uncommon in the cyber crime world. Few emails are worse to receive than “We have your customer data, pay us $xx or we’ll release the data publicly”, and that’s exactly what happened to one large-scale manufacturer and retailer of consumer goods in North America.

The IT department received two emails, the first claiming that the sender had their customer data and demanding $50k, backed by the threat that the data would otherwise go public. Slightly eyebrow-raising, but these sorts of things are often just spam. The second email, however, had samples of customer data and, once the IT department had verified the samples, the security team got involved.

The Verizon Risk team discovered a vulnerability in the manufacturer’s e-commerce platform that enabled anyone to view the HTML order page for any customer orders simply by changing the number in the URL. This is an incredibly basic vulnerability – one that should have been picked up a long time ago. Over a four-week period, the hacker downloaded over 1.5 million customer records – totalling several hundred gigabytes of data.

A rock and a hard place

Having confirmed that the data the hacker had was legit, and refusing to pay the ransom, there was only one option for the manufacturer: beat the attacker to the punch.

The PR team kicked in and informed all of the organisation’s customers that they had suffered a serious breach and promised to do better.

The organisation rebuilt its e-commerce platform from scratch and implemented a full testing and development procedure, which included routine vulnerability scanning and penetration testing—something that should already have been in place.

Regular testing is a must

Organisations that fail to test their websites and networks for vulnerabilities are leaving their and their customers’ data at risk. The vulnerability exploited in this attack was incredibly basic and something even a micro-organisation should be protected against.

Conducting regular penetration tests is the best method to detect vulnerabilities before they get exploited by people with bad intentions. Can you afford the cost of a data breach? Most can’t.